Tuesday, 12 September 2017 07:12

Full disclosure of open source CRM systems

Justification

The main reason why we choose this approach is overwhelming arrogance and ignorance of software producers who often declare multiple security audits and ensure that they deploy applicable practices and, as a consequence, they lull companies and providers into a false sense of security. On the other hand, there are numerous providers who often benefit from the solution but they don't in any way affect the security or quality of the solution they deliver to customers. In our opinion, providers should support producers, so the principle of full disclosure will indicate whether provider's presence influences the end product in a positive or negative manner.  

Our experience showed that the producer ignored all reported bugs and either released a security patch after a few months or didn't publish it at all and sometimes only asked unnecessary questions (to which they knew the answers). Everyone should begin to realize the responsibility which lies on the producer, provider, and customer because CRM systems often store confidential and sensitive data about a company, which should never see the light of day.  

Every software must implement a policy for code audits and then have special security procedures. If in one day several critical errors can be found in one software, it means that this software has never undergone any security audits. By publishing basic bugs, we want to force producers to change their approach, because security vulnerabilities found in their systems affect the way our customers perceive open source solutions.

Principles

When we find a bug in the YetiForce system, we will also verify it in similar projects such as VtigerCRM, SuiteCRM, coreBOS. This way we will test the security of several systems at once. Each bug that we find will be verified and documented to the minimum level, because it is more important to find a vulnerability and fix it as soon as possible rather than document it in detail. When we find a bug in third-party software, we will first check if it isn't also present in the YetiForce system and then we will describe the bug on our website and also report it to the producer - either by mail or their ticket system.  

Final result

The system that is used by thousands of companies cannot have so many critical vulnerabilities that a mid-class security expert is able to find a few/a dozen of them in one day. Pointing out the names of producers and systems may force them to spend more revenue on security and encourage them to strive to improve the quality of their products. If a producer claims that he undergoes a number of security audits and despite the fact that dozens of bugs can be found in his product -with a small amount of work - it's worth to consider whether the company selected for the audit was actually the best choice. Every producer has to identify his weaknesses and strive to eliminate them. Sometimes the audit company turns out to be the weakest point in security. 

The most important point is that people who fix errors will expand their knowledge and skills which from a time perspective will only bring benefit to the producer, providers and most importantly to the end customer.  

Read 1706 times